VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 13, 2018· Updated Sep 17, 2024

CVE-2018-16982

CVE-2018-16982

Description

OpenCC 1.0.5 crashes via crafted .ocd file exploiting out-of-bounds offset reads.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenCC 1.0.5 crashes via crafted .ocd file exploiting out-of-bounds offset reads.

Vulnerability

Open Chinese Convert (OpenCC) version 1.0.5 contains a vulnerability in the BinaryDict::NewFromFile method within BinaryDict.cpp. The function fails to validate that keyOffset and valueOffset values read from a binary dictionary file (.ocd) are within the bounds of the file. A specially crafted .ocd file can provide out-of-bounds offset values, leading to a segmentation fault. [2][4]

Exploitation

An attacker can exploit this vulnerability by supplying a malicious .ocd file that contains invalid keyOffset or valueOffset entries. No authentication or special privileges are required; the attacker only needs to trick a user or application into opening the crafted dictionary file using OpenCC. The parsing logic reads these offsets without checking if they exceed the file size, causing an out-of-bounds memory access which triggers a crash. [2][4]

Impact

Successful exploitation causes a denial of service (DoS) via segmentation fault. The attacker can crash the application or service using OpenCC when processing the malicious dictionary file. There is no indication of code execution or information disclosure beyond the crash. [1][3]

Mitigation

The vulnerability was addressed in a pull request on the OpenCC GitHub repository [2][4], but no fixed official release version was explicitly noted in the provided references. Users should update to the latest version of OpenCC (beyond 1.0.5) from the official repository [1]. If an update is not immediately available, avoid opening untrusted .ocd files.

References
  1. GitHub - BYVoid/OpenCC: Library for conversion between Traditional and Simplified Chinese
  2. Check offset bounds in BinaryDict::NewFromFile method by epico · Pull Request #560 · BYVoid/OpenCC
  3. NVD - CVE-2018-16982
  4. Check offset bounds in BinaryDict::NewFromFile method by epico · Pull Request #560 · BYVoid/OpenCC

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
openccnpm
< 1.1.21.1.2

Affected products

7

Patches

1
4a4f9e58e505

Check offset bounds in BinaryDict::NewFromFile method

https://github.com/byvoid/openccPeng WuMar 1, 2021via ghsa
commit
1 file changed · +8 2
  • src/BinaryDict.cpp+8 2 modified
    @@ -67,6 +67,12 @@ void BinaryDict::SerializeToFile(FILE* fp) const {
 }
 
 BinaryDictPtr BinaryDict::NewFromFile(FILE* fp) {
+  size_t offsetBound, savedOffset;
+  savedOffset = ftell(fp);
+  fseek(fp, 0L, SEEK_END);
+  offsetBound = ftell(fp) - savedOffset;
+  fseek(fp, savedOffset, SEEK_SET);
+
   BinaryDictPtr dict(new BinaryDict(LexiconPtr(new Lexicon)));
 
   // Number of items
@@ -113,7 +119,7 @@ BinaryDictPtr BinaryDict::NewFromFile(FILE* fp) {
     // Key offset
     size_t keyOffset;
     unitsRead = fread(&keyOffset, sizeof(size_t), 1, fp);
-    if (unitsRead != 1) {
+    if (unitsRead != 1 || keyOffset >= offsetBound) {
       throw InvalidFormat("Invalid OpenCC binary dictionary (keyOffset)");
     }
     std::string key = dict->keyBuffer.c_str() + keyOffset;
@@ -122,7 +128,7 @@ BinaryDictPtr BinaryDict::NewFromFile(FILE* fp) {
     for (size_t j = 0; j < numValues; j++) {
       size_t valueOffset;
       unitsRead = fread(&valueOffset, sizeof(size_t), 1, fp);
-      if (unitsRead != 1) {
+      if (unitsRead != 1 || valueOffset >= offsetBound) {
         throw InvalidFormat("Invalid OpenCC binary dictionary (valueOffset)");
       }
       const char* value = dict->valueBuffer.c_str() + valueOffset;

Vulnerability mechanics

Root cause

"Missing bounds validation on keyOffset and valueOffset fields in BinaryDict::NewFromFile allows out-of-bounds read from crafted .ocd files."

Attack vector

An attacker crafts a malicious `.ocd` binary dictionary file containing out-of-bounds `keyOffset` or `valueOffset` values. When OpenCC loads this file via `BinaryDict::NewFromFile`, the function reads these unchecked offsets and uses them to index into `keyBuffer` or `valueBuffer`, causing an out-of-bounds read [CWE-125]. This results in a segmentation fault and denial of service. No authentication or special network access is required; the attacker only needs to supply the crafted file to an application that uses OpenCC to load dictionary data.

Affected code

The vulnerable function is `BinaryDict::NewFromFile` in `src/BinaryDict.cpp`. The method reads `keyOffset` and `valueOffset` values from a binary `.ocd` dictionary file without first verifying that those offsets fall within the bounds of the file's data buffers.

What the fix does

The patch [patch_id=1701979] adds a bounds check before using `keyOffset` and `valueOffset`. It first computes `offsetBound` by seeking to the end of the file and subtracting the starting position. Then, after reading each offset, it checks `keyOffset >= offsetBound` (or `valueOffset >= offsetBound`) and throws `InvalidFormat` if the offset is out of range. This prevents the out-of-bounds read that caused the segmentation fault.

Preconditions

  • inputAttacker must supply a crafted .ocd binary dictionary file with out-of-bounds offset values.
  • configThe victim application must load the malicious .ocd file using OpenCC's BinaryDict::NewFromFile.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.